A case study from FIDO Member, Yubico, exploring a partnership with NIST to deploy secure online access for a US school district integrating ID proofing with FIDO U2F Authentication.
1. All Rights Reserved | FIDO Alliance | Copyright 20171
Deployment Case
Study:
Authentication and
ID Proofing
2. 2
Why are we solving this?
● Strong authentication not always tied to identity of user
● FIDO authentication mostly decoupled from ID Proofing
● ID Proofing required for higher assurance levels
● Current options for ID Proofing and strong authentication
violates user privacy
● Remote ID Proofing often tied to KBV
3. 3
NSTIC Vision
“Individuals and organizations utilize secure, efficient,
easy‐to‐use and interoperable identity solutions to
access online services in a manner that promotes
confidence, privacy, choice, and innovation.”
- National Strategy for Trusted Identities in Cyberspace (NSTIC)
4. 4
The Project
● Cooperative with US National Institute of Standards & Technology (NIST)
● Secure online access for US school district (Janesville, Wisconsin)
● Yubico awarded grant working with UnitedID and SUNET
● Integrate ID Proofing with FIDO U2F authentication
● Extend benefits of FIDO U2F to federated identity environments
● Share attributes securely, conveniently and privacy-enhancing
● ID Proofing (without KBV) with delivery of pre-registered authenticator
5. 5
ID verified FIDO Authenticators
● Successful Remote Proofing Pre-registers authenticator
● Pre-registration of authenticator ensures authenticity and
integrity (first FIDO credential must be ID verified)
U2F YubiKeys sent to
the address on ID
Secure access to any
number of services
Mobile ID scanning,
Driver’s license or state ID
6. All Rights Reserved | FIDO Alliance | Copyright 20176
ID Proofing and Verification
7. All Rights Reserved | FIDO Alliance | Copyright 20177
Token Issuance and Logistics
8. All Rights Reserved | FIDO Alliance | Copyright 20178
Extending FIDO to Identity Ecosystem
● Extend U2F to services connected via these federation
protocols
• U2F Shibboleth (SAML) and OpenID Connect plug-in
• Open source reference implementation
● Build ID Proofing engine using OpenID Connect
• Allows for multiple proofing solutions/providers
• Part of the Identity toolkit
9. All Rights Reserved | FIDO Alliance | Copyright 20179
Lessons Learned
● Protecting PII is time and resource intensive
● Difficult to achieve highest identity assurance with Remote ID proofing
● High level of trust required in integrations with third-party vendors
● Compatibility challenges across diverse operating systems and devices
● Additional techniques needed to onboard special education students
● Ongoing efforts to gather and correlate user metrics